In a new article on the SecurityWeek website, Cyber Risk = Business Risk. Time for the Business-Aligned CISO, RiskLens CEO Nick Sanna writes that this era of heightened awareness of cybersecurity should be a great opportunity for CISOs to command the attention of top brass but “it’s also a challenge that many infosec pros won’t be prepared for.”
The Board and the C-suite expect to discuss cyber risk in the same terms as other topics in enterprise risk management, Nick writes. “Other business units can answer questions about probable losses as a range of dollar amounts. Against those numbers, decision makers can set a ‘risk appetite’.”
But in infosecurity shops, “it’s often an IT-centric not a business-aligned viewpoint,” Nick writes. “Maturity ratings” based on “frameworks”, or risk heat maps based on gut feelings of cyber risk analysts, or counts of patches applied may make sense to cybersecurity practitioners but they’re not effective communication tools to the rest of the business. To truly become business-aligned, Nick recommends, CISOs should look to the FAIR model for analyzing cyber risk in financial terms.
Read the complete article, Cyber Risk = Business Risk. Time for the Business-Aligned CISO, on the SecurityWeek website.
RiskLens is powered by FAIR, the international standard model for cyber risk quantification. Gartner, the leading tech consultancy, recently recommended cyber risk quantification as one of the critical components of an integrated cyber risk management program. More than 3,000 CISOs, cyber risk analysts and other infosecurity professionals are members of the FAIR Institute.